Modify GW downgrade pack?

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by Jhyrachy, Jan 12, 2015.

  1. Jhyrachy
    OP

    Jhyrachy GBAtemp Regular

    Member
    213
    71
    Jul 25, 2011
    Italy
    Hi,
    I was looking to modify the GATEWAY.DG to allow the downgrade to a firmware lower then 4.5 (EU version).

    You can wonder why, but the answer is that in 4.5 a lot of ds mode flashcard were blocked, like acekard 2i and EZ Flash Vi

    Downgrading to a lower firmware will allow us to use our old flashcard to run the ds exploit without the need of a Gateway!

    To download the needed firmware we can use this tool: https://gbatemp.net/threads/release...ds-fw-contents-create-installable-cia.375993/

    And to decrupt the dg we can use this:https://gist.github.com/archshift/4cb754c432ba7854212a

    But then i do not know how to proceed :/
     


  2. sonic2756

    sonic2756 Friendly Neighborhood Wolf

    Member
    666
    446
    Feb 3, 2010
    United States
    Denver, CO
    I'm assuming we just need a way to repack the .dg?
     
  3. ChrisX930

    ChrisX930 Banned

    Banned
    788
    317
    Sep 3, 2013
    Gambia, The
    Germany
    Not only this.
    I think we need to know, which files we are exactly need to downgrade the firmware WITHOUT brick the console.
     
  4. Falo

    Falo GBAtemp Regular

    Member
    253
    199
    Jul 22, 2012
    Gambia, The
    Some stuff to think about:
    - the exploit gets currently reversed by several people and after this is finished a "homebrew" launcher.dat is possible
    - this homebrew launcher.dat can do whatever we want, right on 9.2 without any downgrade or gateway cart
    - downgrading below 4.1 will bring you nothing, since the memory addresses will change and then you can't execute launcher.dat, you would have to make a new launcher.dat to work with your older firmware

    and to answer your question:
    Inside of gateway.dg is a list of tmds + decrypted contents from cdn, repacking any decrypted and properly signed cia into a new gateway.dg is possible, so installing cia's without downgrade or flashcard should be possible using this method.

    note:
    - downloaded cia's from cdn are still encrypted and cannot be used without decrypting them first!
    - custom made cia's are not properly signed and cannot be used!
    - the tmd's inside are identical with cdn downloads, they are not modified to change titleversion or remove encryption flag
     
    MarkDarkness likes this.
  5. Nollog

    Nollog GBAtemp Addict

    Member
    2,703
    472
    Oct 10, 2008
  6. Jhyrachy
    OP

    Jhyrachy GBAtemp Regular

    Member
    213
    71
    Jul 25, 2011
    Italy
  7. Nollog

    Nollog GBAtemp Addict

    Member
    2,703
    472
    Oct 10, 2008
    oh yeah, nobody has edited the new launcher yet. If it's even possible.
     
  8. Jhyrachy
    OP

    Jhyrachy GBAtemp Regular

    Member
    213
    71
    Jul 25, 2011
    Italy
    I'm unlucky about this:
    US 3ds get back to 4.2 where acekard was enabled, EU 3ds are downgraded to 4.5, where i was blocked
     
  9. Classicgamer

    Classicgamer GBAtemp Fan

    Member
    497
    135
    Aug 20, 2012
    United States
    Well keep in mind it still doesn't work after gw dg to 4.2 usa. I'm thinking the dg doesn't restore every file to 4.2. Thankfully cearp supplied his flashcardtimewarp cia which does then allow ak2i to work again.
     
  10. Jhyrachy
    OP

    Jhyrachy GBAtemp Regular

    Member
    213
    71
    Jul 25, 2011
    Italy
  11. Falo

    Falo GBAtemp Regular

    Member
    253
    199
    Jul 22, 2012
    Gambia, The
    Well i did and other too, actually it's easier then decrypting the 2.X launcher.dat...

    The new Launcher.dat is a combination of the old 4.X exploit and the new browser exploit,
    the old exploit is from 0x0 to 0x8FFF.

    first the browser payload stage1 decrypt code:
    Code:
    int *buffer = 0x08F01000;
    int key = 0;
    for (i = 0; i < 0x1000; i++)
    {
        key += 0xD5828281;
        buffer[i] += key;
    }
    the buffer is stage 2 and is always 0x4000 byte, loading address = 0x08F01000;

    fw 2.0: buffer is at offset 0xA000 in launcher.dat
    fw 2.1-3.X: buffer is at offset 0xE000 in launcher.dat
    fw 4.0-4.X: buffer is at offset 0x12000 in launcher.dat
    fw 5.0-7.0: buffer is at offset 0x16000 in launcher.dat
    fw 7.1-9.4: buffer is at offset 0x1A000 in launcher.dat
    fw unknown: buffer is at offset 0x1E000 in launcher.dat

    stage 2 is the obfuscated rop code, basically it loads an arm payload through ninjhax(gpuhax)
    well at this point, it should be easy to get code execution... ^^

    google "Reversing Gateway Ultra First Stage (Part 1)" if you want to know more

    I don't think it's possible, they modify the tmd titleversion and the cxi is still encrypted.
    But it should be possible with an unmodified tmd and decrypted cdn content.
     
    Bug_Checker_, NCDyson and berichan like this.
  12. Classicgamer

    Classicgamer GBAtemp Fan

    Member
    497
    135
    Aug 20, 2012
    United States
  13. mb2010

    mb2010 Advanced Member

    Newcomer
    63
    19
    Jan 12, 2015
    If only i could downgrade my EU 3ds XL to less than 4.5. My flash card was blocked on 4.5 but works on my 4.4 regular 3ds, really frustrating just want to play on the bigger screen.
     
  14. Falo

    Falo GBAtemp Regular

    Member
    253
    199
    Jul 22, 2012
    Gambia, The
    Ok after analyzing this fileformat a bit more, i found out that it's tricky to use this as CIA installer, because this "downgrader" does not downgrade or install anything...

    Inside of these dg's are 3 folders,

    CTR -> 3DS Titles + Ticket.db
    TWL -> DSi Titles
    FIRM -> Firmware Folder (firm.bin)

    How are they doing the downgrade ?
    They just overwrite every 3ds & dsi system title with files inside of these folders and then they write a pre-made ticket.db and firm.bin to your nand.
    This will delete all of your installed eShop downloads...

    But this also means, it's not possible to use this as cia installer, since you need some way to generate a ticket.db and thats currently not possible, without devmenu.

    Well anyway, here a simple 010 Editor Script to read it (after decrypting):

    Code:
    //--------------------------------------
    //--- 010 Editor v5.0.2 Binary Template
    //
    // File:
    // Author:
    // Revision:
    // Purpose:
    //--------------------------------------
    struct{
        char magic[4]; //GW3 + regionbyte
        //GW3E = EUR, GW3C = CHN, GW3T = TWN, GW3K = KOR, GW3J = JPN, GW3U = USA
        int headersize;
        ubyte checksum[headersize-8]; //unknown for now
     
        struct CTR ctr;  //3DS Container
        struct TWL twl;  //DSi Container
        struct FIRM firm; //Firmware Container
    }Header;
     
    struct CTR{
        char magic[4]; //CTR & 0x00
        int numCatalog;
        int szTicketDB;
        int szFirm; //reserved in ctr
     
        struct{
            struct CATA cata[numCatalog]<optimize=false>;
        }CatalogFiles;
     
        ubyte NandTicketDB[szTicketDB];
    };
     
    struct TWL{
        char magic[4]; //TWL & 0x00
        int numCatalog;
        int szTicketDB; //reserved in twl
        int szFirm; //reserved in twl
     
        struct{
            struct CATA cata[numCatalog]<optimize=false>;
        }CatalogFiles;
    };
     
    struct FIRM{
        char magic[4]; //FIRM
        int numCatalog; //reserved in firm
        int szTicketDB; //reserved in firm
        int szFirm;
     
        ubyte firm[szFirm];
    };
     
    struct CATA{
        char magic[4]; //CATA
        uint TitleIdHigh;
        int64 numTitles;
     
        //debug
        Printf("Folder: %08X, count: %d\n",TitleIdHigh, numTitles);
        struct TITL title[numTitles]<optimize=false>;
    };
     
    struct TITL{
        char magic[4]; //TITL
        int TitleIdLow;
        int unk3; //always 0?
        int tmd_size;
        int unk4; //junk data?
        int unk5; //junk data?
        int content0_size;
        int unk6; //junk data or content1_size
        int unk7; //junk data?
        int unk8; //junk data?
        int unk9; //always 0?
        int unk10; //always 0?
     
        struct TMD tmd;
        ubyte padding[0x3C]; //unknown...
     
        local int i;
        for(i=0;i<tmd.numContents;i++)
        {
            struct{
                byte data[tmd.contents[i].size];
            }Content;
        }
    };
     
    struct TMD{ //not the full struct
        BigEndian();
        ubyte data1[0x18C];
        uint64 TitleId;
        ubyte data2[0x48];
        ushort titleVersion;
        ushort numContents;
        ubyte data3[0x924];
        struct CONTENT contents[numContents]<optimize=false>;
        LittleEndian();
        //debug
        Printf("%016LX v%u\n",TitleId,titleVersion);
    };
     
    struct CONTENT{
        uint id;
        ushort index;
        ushort flags;
        int64 size;
        ubyte hash[0x20]; //sha256
    };
    
     
  15. berichan

    berichan Member

    Newcomer
    30
    19
    Dec 9, 2014
  16. ChrisX930

    ChrisX930 Banned

    Banned
    788
    317
    Sep 3, 2013
    Gambia, The
    Germany
    But first, we need to know how to modify/replace the cxi-files AND we need to know how to encrypt the dg-file after that.
    Thank you btw for the bath file
     
  17. berichan

    berichan Member

    Newcomer
    30
    19
    Dec 9, 2014

    Modify: Get CTRs > 3DSExplorer > extract ExHeader/ExeFS/RomFS > https://gist.github.com/archshift/9d48b03581dcea71dd0c
    Then you can do whatever you want with the cxis
    Re-encrypting, I'm not 100% sure.
     
  18. Codename

    Codename GREEN BRO IS BEST BRO

    Member
    365
    85
    Feb 21, 2012
    Canada
    To repack and re-encrypt the downgrade files, couldn't someone attempt to make a script that reverses the actions of the decrypting and extracting scripts? Maybe it's not that easy, but it would be awesome if we could get something working. I would love to cheat my way around the downgrade and just downgrade the system titles (DS Profile stuff) necessary to get many flashcards working on 9.x.
     
    berichan likes this.
  19. dicamarques

    dicamarques Definitely not Bruce Wayne.

    Member
    1,019
    174
    Jun 25, 2010
    Portugal
    Your computer's Recycle Bin
    Who's this archshif anyways?
     
  20. berichan

    berichan Member

    Newcomer
    30
    19
    Dec 9, 2014

    You can recrypt the dg file by using the dg decryptor on the edited dg again because it's just a bunch of xors. I managed to edit a few things last night that I'm sure won't brick my system, but I'm not sure how to go about creating a ticket.db(title?) just yet.

    Someone on irc #3dsdev